Debian 11->12 upgrade. Email not sending

Discussion in 'Installation/Configuration' started by chrisale, Feb 9, 2024.

Tags:
Page 1 of 2
  1. chrisale

    chrisale Member

    Hi again all,
    The last problem appears to have been related in part to upgrading from Debian 11->12, even though I did so on a brand new server. So I'm going out on a limb and hoping this is similar this time and give a clue as to the problem.
    Short Version: I can't send email.
    Either from the command line or from webmail for a created email mailbox.
    The squirrelmail interface simply says this:
    "SMTP Error (): Authentication failed."
    The mail.log file output is a little different though, complaining of a refused connection?
    Code:
    <936831><iqexNfkQ6qEAAAAAAAAAAAAAAAAAAAAB>: Disconnected: Logged out in=430 out=1971 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=314 body_count=1 body_bytes=18
2024-02-09T20:59:59.389853+00:00 s91370 postfix/submission/smtpd[936832]: connect from localhost[::1]
2024-02-09T20:59:59.390092+00:00 s91370 postfix/submission/smtpd[936832]: warning: connect to Milter service inet:localhost:11332: Connection refused
2024-02-09T20:59:59.390552+00:00 s91370 postfix/submission/smtpd[936832]: disconnect from localhost[::1] ehlo=1 quit=1 commands=2
    Other searches seem to indicate a problem when switching to the rspamd. But I've never switched, as this is a new server. (unless upgrading from Debian 11 to Debian 12 is a switch).
    Note: I just updated ISPConfig to the p2 release.
    Receiving mail is working fine.
     
    chrisale, Feb 9, 2024
    #1
  2. chrisale

    chrisale Member

    Here is the postfix master.cf
    Code:
    
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
 -o syslog_name=postfix/smtps
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================

# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================

# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}

#

# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
     
    chrisale, Feb 9, 2024
    #2
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Rspamd does not seem to be started, so its not a postfix issue.
     
    till, Feb 10, 2024
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Have you done the ISPConfig update and let it reconfigure services after you updated Debian? You must always update ISPConfig after the OS as it can not configure the new system otherwise.
     
    till, Feb 10, 2024
    #4
  5. chrisale

    chrisale Member

    yes, twice in fact. Once immediately after I upgraded to Debian 12 and again yesterday after the p2 update was released.
     
    chrisale, Feb 10, 2024
    #5
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    till, Feb 10, 2024
    #6
  7. chrisale

    chrisale Member

    Oh yes, sorry. I meant to do that as well. Here it is (just run now).
    Code:
    
##### SERVER #####
IP-address (as per hostname): ***.***.***.***
[WARN] could not determine server's ip address by ifconfig
[INFO] OS version is Debian GNU/Linux 12 (bookworm)

[INFO] uptime:  08:51:07 up 3 days, 16:32,  1 user,  load average: 0.06, 0.03, 0.00

[INFO] memory:
               total        used        free      shared  buff/cache   available
Mem:            31Gi       2.7Gi        25Gi       103Mi       3.9Gi        28Gi
Swap:          4.0Gi          0B       4.0Gi

[INFO] systemd failed services status:
  UNIT LOAD ACTIVE SUB DESCRIPTION
0 loaded units listed.

[INFO] ISPConfig is installed.

##### ISPCONFIG #####
ISPConfig version is 3.2.11p2


##### VERSION CHECK #####

[INFO] php (cli) version is 8.2.15
[INFO] php-cgi (used for cgi php in default vhost!) is version 8.2.15

##### PORT CHECK #####


##### MAIL SERVER CHECK #####


##### RUNNING SERVER PROCESSES #####

[INFO] I found the following web server(s):
    Unknown process (nginx:) (PID 754643)
[INFO] I found the following mail server(s):
    Postfix (PID 936692)
[INFO] I found the following pop3 server(s):
    Dovecot (PID 936703)
[INFO] I found the following imap server(s):
    Dovecot (PID 936703)
[INFO] I found the following ftp server(s):
    PureFTP (PID 936752)

##### LISTENING PORTS #####
(only        ()
Local        (Address)
[anywhere]:4190        (936703/dovecot)
[localhost]:953        (936757/named)
[localhost]:953        (936757/named)
[localhost]:953        (936757/named)
[localhost]:953        (936757/named)
[localhost]:953        (936757/named)
[localhost]:953        (936757/named)
[localhost]:953        (936757/named)
[localhost]:953        (936757/named)
[localhost]:53        (936757/named)
[localhost]:53        (936757/named)
[localhost]:53        (936757/named)
[localhost]:53        (936757/named)
[localhost]:53        (936757/named)
[localhost]:53        (936757/named)
[localhost]:53        (936757/named)
[localhost]:53        (936757/named)
[anywhere]:8081        (754643/nginx:)
[anywhere]:8080        (754643/nginx:)
[anywhere]:443        (754643/nginx:)
[anywhere]:465        (936692/master)
[anywhere]:143        (936703/dovecot)
[anywhere]:25        (936692/master)
[anywhere]:21        (936752/pure-ftpd)
[anywhere]:22        (878/sshd:)
[anywhere]:110        (936703/dovecot)
[anywhere]:80        (754643/nginx:)
[anywhere]:993        (936703/dovecot)
[anywhere]:995        (936703/dovecot)
[localhost]:6379        (859/redis-server)
[anywhere]:587        (936692/master)
[anywhere]:3306        (936300/mariadbd)
[localhost]:11211        (837/memcached)
***.***.***.***:53        (936757/named)
***.***.***.***:53        (936757/named)
***.***.***.***:53        (936757/named)
***.***.***.***:53        (936757/named)
***.***.***.***:53        (936757/named)
***.***.***.***:53        (936757/named)
***.***.***.***:53        (936757/named)
***.***.***.***:53        (936757/named)
[localhost]:10023        (761/postgrey)
***.***.***.***:10023        (761/postgrey)
*:*:*:*::*:4190        (936703/dovecot)
*:*:*:*::*:953        (936757/named)
*:*:*:*::*:953        (936757/named)
*:*:*:*::*:953        (936757/named)
*:*:*:*::*:953        (936757/named)
*:*:*:*::*:953        (936757/named)
*:*:*:*::*:953        (936757/named)
*:*:*:*::*:953        (936757/named)
*:*:*:*::*:953        (936757/named)
*:*:*:*::*:8081        (754643/nginx:)
*:*:*:*::*:8080        (754643/nginx:)
*:*:*:*::*:53        (936757/named)
*:*:*:*::*:53        (936757/named)
*:*:*:*::*:53        (936757/named)
*:*:*:*::*:53        (936757/named)
*:*:*:*::*:53        (936757/named)
*:*:*:*::*:53        (936757/named)
*:*:*:*::*:53        (936757/named)
*:*:*:*::*:53        (936757/named)
*:*:*:*::*:443        (754643/nginx:)
*:*:*:*::*2a92:4aff:fe34:53        (936757/named)
*:*:*:*::*2a92:4aff:fe34:53        (936757/named)
*:*:*:*::*2a92:4aff:fe34:53        (936757/named)
*:*:*:*::*2a92:4aff:fe34:53        (936757/named)
*:*:*:*::*2a92:4aff:fe34:53        (936757/named)
*:*:*:*::*2a92:4aff:fe34:53        (936757/named)
*:*:*:*::*2a92:4aff:fe34:53        (936757/named)
*:*:*:*::*2a92:4aff:fe34:53        (936757/named)
*:*:*:*::*:465        (936692/master)
[localhost]43        (936703/dovecot)
*:*:*:*::*:25        (936692/master)
*:*:*:*::*:21        (936752/pure-ftpd)
*:*:*:*::*:22        (878/sshd:)
[localhost]10        (936703/dovecot)
*:*:*:*::*:80        (754643/nginx:)
*:*:*:*::*:993        (936703/dovecot)
*:*:*:*::*:995        (936703/dovecot)
*:*:*:*::*:587        (936692/master)
*:*:*:*::*:6379        (859/redis-server)
*:*:*:*::*2a92:4aff:fe34:53        (936757/named)
*:*:*:*::*2a92:4aff:fe34:53        (936757/named)
*:*:*:*::*2a92:4aff:fe34:53        (936757/named)
*:*:*:*::*2a92:4aff:fe34:53        (936757/named)
*:*:*:*::*2a92:4aff:fe34:53        (936757/named)
*:*:*:*::*2a92:4aff:fe34:53        (936757/named)
*:*:*:*::*2a92:4aff:fe34:53        (936757/named)
*:*:*:*::*2a92:4aff:fe34:53        (936757/named)
*:*:*:*::*:3306        (936300/mariadbd)
*:*:*:*::*:10023        (761/postgrey)




##### IPTABLES #####
Chain INPUT (policy DROP)
target     prot opt source               destination      
f2b-postfix-sasl  6    --  [anywhere]/0            [anywhere]/0            multiport dports 25
f2b-sshd   6    --  [anywhere]/0            [anywhere]/0            multiport dports 22
ufw-before-logging-input  0    --  [anywhere]/0            [anywhere]/0        
ufw-before-input  0    --  [anywhere]/0            [anywhere]/0        
ufw-after-input  0    --  [anywhere]/0            [anywhere]/0        
ufw-after-logging-input  0    --  [anywhere]/0            [anywhere]/0        
ufw-reject-input  0    --  [anywhere]/0            [anywhere]/0        
ufw-track-input  0    --  [anywhere]/0            [anywhere]/0        

Chain FORWARD (policy DROP)
target     prot opt source               destination      
ufw-before-logging-forward  0    --  [anywhere]/0            [anywhere]/0        
ufw-before-forward  0    --  [anywhere]/0            [anywhere]/0        
ufw-after-forward  0    --  [anywhere]/0            [anywhere]/0        
ufw-after-logging-forward  0    --  [anywhere]/0            [anywhere]/0        
ufw-reject-forward  0    --  [anywhere]/0            [anywhere]/0        
ufw-track-forward  0    --  [anywhere]/0            [anywhere]/0        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      
ufw-before-logging-output  0    --  [anywhere]/0            [anywhere]/0        
ufw-before-output  0    --  [anywhere]/0            [anywhere]/0        
ufw-after-output  0    --  [anywhere]/0            [anywhere]/0        
ufw-after-logging-output  0    --  [anywhere]/0            [anywhere]/0        
ufw-reject-output  0    --  [anywhere]/0            [anywhere]/0        
ufw-track-output  0    --  [anywhere]/0            [anywhere]/0        

Chain f2b-postfix-sasl (1 references)
target     prot opt source               destination      
RETURN     0    --  [anywhere]/0            [anywhere]/0        

Chain f2b-sshd (1 references)
target     prot opt source               destination      
REJECT     0    --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
RETURN     0    --  [anywhere]/0            [anywhere]/0        

Chain ufw-after-forward (1 references)
target     prot opt source               destination      

Chain ufw-after-input (1 references)
target     prot opt source               destination      
ufw-skip-to-policy-input  17   --  [anywhere]/0            [anywhere]/0            udp dpt:137
ufw-skip-to-policy-input  17   --  [anywhere]/0            [anywhere]/0            udp dpt:138
ufw-skip-to-policy-input  6    --  [anywhere]/0            [anywhere]/0            tcp dpt:139
ufw-skip-to-policy-input  6    --  [anywhere]/0            [anywhere]/0            tcp dpt:445
ufw-skip-to-policy-input  17   --  [anywhere]/0            [anywhere]/0            udp dpt:67
ufw-skip-to-policy-input  17   --  [anywhere]/0            [anywhere]/0            udp dpt:68
ufw-skip-to-policy-input  0    --  [anywhere]/0            [anywhere]/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination      
LOG        0    --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination      
LOG        0    --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination      

Chain ufw-after-output (1 references)
target     prot opt source               destination      

Chain ufw-before-forward (1 references)
target     prot opt source               destination      
ACCEPT     0    --  [anywhere]/0            [anywhere]/0            ctstate RELATED,ESTABLISHED
ACCEPT     1    --  [anywhere]/0            [anywhere]/0            icmptype 3
ACCEPT     1    --  [anywhere]/0            [anywhere]/0            icmptype 11
ACCEPT     1    --  [anywhere]/0            [anywhere]/0            icmptype 12
ACCEPT     1    --  [anywhere]/0            [anywhere]/0            icmptype 8
ufw-user-forward  0    --  [anywhere]/0            [anywhere]/0        

Chain ufw-before-input (1 references)
target     prot opt source               destination      
ACCEPT     0    --  [anywhere]/0            [anywhere]/0        
ACCEPT     0    --  [anywhere]/0            [anywhere]/0            ctstate RELATED,ESTABLISHED
ufw-logging-deny  0    --  [anywhere]/0            [anywhere]/0            ctstate INVALID
DROP       0    --  [anywhere]/0            [anywhere]/0            ctstate INVALID
ACCEPT     1    --  [anywhere]/0            [anywhere]/0            icmptype 3
ACCEPT     1    --  [anywhere]/0            [anywhere]/0            icmptype 11
ACCEPT     1    --  [anywhere]/0            [anywhere]/0            icmptype 12
ACCEPT     1    --  [anywhere]/0            [anywhere]/0            icmptype 8
ACCEPT     17   --  [anywhere]/0            [anywhere]/0            udp spt:67 dpt:68
ufw-not-local  0    --  [anywhere]/0            [anywhere]/0        
ACCEPT     17   --  [anywhere]/0            ***.***.***.***          udp dpt:5353
ACCEPT     17   --  [anywhere]/0            ***.***.***.***      udp dpt:1900
ufw-user-input  0    --  [anywhere]/0            [anywhere]/0        

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination      

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination      

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination      

Chain ufw-before-output (1 references)
target     prot opt source               destination      
ACCEPT     0    --  [anywhere]/0            [anywhere]/0        
ACCEPT     0    --  [anywhere]/0            [anywhere]/0            ctstate RELATED,ESTABLISHED
ufw-user-output  0    --  [anywhere]/0            [anywhere]/0        

Chain ufw-logging-allow (0 references)
target     prot opt source               destination      
LOG        0    --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination      
RETURN     0    --  [anywhere]/0            [anywhere]/0            ctstate INVALID limit: avg 3/min burst 10
LOG        0    --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination      
RETURN     0    --  [anywhere]/0            [anywhere]/0            ADDRTYPE match dst-type LOCAL
RETURN     0    --  [anywhere]/0            [anywhere]/0            ADDRTYPE match dst-type MULTICAST
RETURN     0    --  [anywhere]/0            [anywhere]/0            ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  0    --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 10
DROP       0    --  [anywhere]/0            [anywhere]/0        

Chain ufw-reject-forward (1 references)
target     prot opt source               destination      

Chain ufw-reject-input (1 references)
target     prot opt source               destination      

Chain ufw-reject-output (1 references)
target     prot opt source               destination      

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination      
DROP       0    --  [anywhere]/0            [anywhere]/0        

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination      
DROP       0    --  [anywhere]/0            [anywhere]/0        

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination      
ACCEPT     0    --  [anywhere]/0            [anywhere]/0        

Chain ufw-track-forward (1 references)
target     prot opt source               destination      

Chain ufw-track-input (1 references)
target     prot opt source               destination      

Chain ufw-track-output (1 references)
target     prot opt source               destination      
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            ctstate NEW
ACCEPT     17   --  [anywhere]/0            [anywhere]/0            ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination      

Chain ufw-user-input (1 references)
target     prot opt source               destination      
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            tcp dpt:22
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            tcp dpt:25
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            tcp dpt:53
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            tcp dpt:80
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            tcp dpt:110
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            tcp dpt:143
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            tcp dpt:443
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            tcp dpt:465
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            tcp dpt:587
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            tcp dpt:993
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            tcp dpt:995
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            tcp dpt:3306
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            tcp dpt:4190
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            tcp dpt:8080
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            tcp dpt:8081
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            multiport dports 40110:40210
ACCEPT     17   --  [anywhere]/0            [anywhere]/0            udp dpt:53
ACCEPT     6    --  [anywhere]/0            [anywhere]/0            tcp dpt:11332

Chain ufw-user-limit (0 references)
target     prot opt source               destination      
LOG        0    --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
REJECT     0    --  [anywhere]/0            [anywhere]/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination      
ACCEPT     0    --  [anywhere]/0            [anywhere]/0        

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination      

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination      

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination      

Chain ufw-user-output (1 references)
target     prot opt source               destination      




##### LET'S ENCRYPT #####
acme.sh is installed in /root/.acme.sh/acme.sh
     

    Attached Files:

    chrisale, Feb 10, 2024
    #7
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so Rspamd is not running. Start it and if it does not start, check why in the mail.log and /var/log/rspamd/rspamd.log
     
    till, Feb 10, 2024
    #8
  9. chrisale

    chrisale Member

    systemctl is reporting that rspamd is masked and so can't be enabled.
    Code:
    # systemctl start rspamd
Failed to start rspamd.service: Unit rspamd.service is masked.

# systemctl enable rspamd
Synchronizing state of rspamd.service with SysV service script with /lib/systemd/systemd-sysv-install.
[B]Executing: /lib/systemd/systemd-sysv-install enable rspamd
Failed to enable unit: Unit file /etc/systemd/system/rspamd.service is masked.[/B]
    I unmasked it, enabled it, and started it successfully and restarted postfix.
    Nothing has appeared in rspamd.log (it is empty)
    In mail.log postfix produced the same connection refusal after restart
    Code:
    2024-02-10T17:10:02.788597+00:00 s91370 postfix/smtpd[1232367]: connect from localhost[::1]
2024-02-10T17:10:02.788765+00:00 s91370 postfix/smtpd[1232367]: warning: connect to Milter service inet:localhost:11332: Connection refused
2024-02-10T17:10:02.788947+00:00 s91370 postfix/smtpd[1232367]: lost connection after CONNECT from localhost[::1]
2024-02-10T17:10:02.789023+00:00 s91370 postfix/smtpd[1232367]: disconnect from localhost[::1] commands=0/0
2024-02-10T17:12:24.705874+00:00 s91370 postfix/smtps/smtpd[1232415]: connect from unknown[45.227.254.49]
2024-02-10T17:12:24.706083+00:00 s91370 postfix/smtps/smtpd[1232415]: SSL_accept error from unknown[45.227.254.49]: -1
2024-02-10T17:12:24.706162+00:00 s91370 postfix/smtps/smtpd[1232415]: warning: TLS library problem: error:0A00010B:SSL routines::wrong version number:../ssl/record/ssl3_record.c:354:
2024-02-10T17:12:24.712650+00:00 s91370 postfix/smtps/smtpd[1232415]: lost connection after CONNECT from unknown[45.227.254.49]
2024-02-10T17:12:24.712722+00:00 s91370 postfix/smtps/smtpd[1232415]: disconnect from unknown[45.227.254.49] commands=0/0
    I do notice a "TLS library problem"?

    It also appears that I've lost the ability to receive mail. Test emails from my regular accounts are no longer getting to the mail box. I can see the messages coming to the server in the log but it's not going to the mailbox. With rspamd on or off.

    Code:
    2024-02-10T17:18:26.480151+00:00 s91370 postfix/smtpd[1233053]: improper command pipelining after CONNECT from unknown[]: \003\000\000/*\340\000\000\000\000\000Cookie: mstshash=Administr\r\n\001\000\b\000\003\000\000\000
2024-02-10T17:18:26.480387+00:00 s91370 postfix/smtpd[1233053]: warning: connect to Milter service inet:localhost:11332: Connection refused
2024-02-10T17:18:26.588175+00:00 s91370 postfix/smtpd[1233053]: lost connection after UNKNOWN from unknown[]
2024-02-10T17:18:26.588313+00:00 s91370 postfix/smtpd[1233053]: disconnect from unknown[] unknown=0/1 commands=0/1

....

2024-02-10T17:20:02.220885+00:00 s91370 postfix/smtpd[1233053]: disconnect from localhost[::1] commands=0/0
2024-02-10T17:20:02.226841+00:00 s91370 dovecot: pop3-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<y4g+QQoRsLkAAAAAAAAAAAAAAAAAAAAB>
2024-02-10T17:20:02.227151+00:00 s91370 dovecot: imap-login: Disconnected: Connection closed (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<Yoo+QQoRgtEAAAAAAAAAAAAAAAAAAAAB>
2024-02-10T17:20:09.161378+00:00 s91370 dovecot: imap-login: Login: user=<**email removed**>, method=PLAIN, rip=::1, lip=::1, mpid=1233204, secured, session=<bTioQQoR5o4AAAAAAAAAAAAAAAAAAAAB>
2024-02-10T17:20:09.167438+00:00 s91370 dovecot: imap(**email removed**)<1233204><bTioQQoR5o4AAAAAAAAAAAAAAAAAAAAB>: Disconnected: Logged out in=273 out=1516 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0

[/quote]
    Here's a little more complaining about SSL
    Code:
    2024-02-10T17:20:26.445889+00:00 s91370 dovecot: imap(**email removed**)<1233206><IdWvQgoRfo4AAAAAAAAAAAAAAAAAAAAB>: Disconnected: Logged out in=90 out=995 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
2024-02-10T17:20:51.894755+00:00 s91370 dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A00010B:SSL routines::wrong version number (no auth attempts in 0 secs): user=<>, rip=**ip removed**, lip=**ip removed**, TLS handshaking: SSL_accept() failed: error:0A00010B:SSL routines::wrong version number, session=<IGg0RAoR6f5QQljT>
     
    chrisale, Feb 10, 2024
    #9
  10. chrisale

    chrisale Member

    I noticed this message from postfix in the logs:
    Code:
    2024-02-10T17:23:14.105527+00:00 s91370 postfix[1233352]: Postfix is using backwards-compatible default settings
2024-02-10T17:23:14.105650+00:00 s91370 postfix[1233352]: See http://www.postfix.org/COMPATIBILITY_README.html for details
2024-02-10T17:23:14.105710+00:00 s91370 postfix[1233352]: To disable backwards compatibility use "postconf compatibility_level=3.6" and "postfix reload"
    So I have set that compatibility level. No impact.
    Based on the logs I believe there are two issues occurring right now.
    1) An issue with the SSL certificate that postfix is using preventing it from making a secure connection to sending clients/servers.
    2) and an issue with sending where it is not authenticating, or it is blocked in some way to the Milter service.
     
    chrisale, Feb 10, 2024
    #10
  11. chrisale

    chrisale Member

    Just seeing if rspamd is working.

    When I go to: https://ip.add.ress:8081/rspamd/
    I get 502 Bad Gateway

    Also: Is there a way to recreate the DKIM keys for an email domain if they are a source of the problem? This email was working yesterday morning before I updated ISPConfig to p2. The keys are in:
    /var/lib/amavis/dkim
     
    Last edited: Feb 10, 2024
    chrisale, Feb 10, 2024
    #11
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    The issues you posted above are not related to DKIM. The DKIM cert is not used by Postfix at all. The issue you posted is most likely not related to ISPConfig and not to the ISPConfig update, they are caused by the Debian update. It seems as if you connect with older clients that do not support modern TLS protocols, and due to the new Debian version, such older clients that only support old SSL3 protocol are denied.

    Do you get a SSL error when accessing ISPconfig GUI with a browser? If yes, use the ISPConfig updater to recreate the SSL cert. if no, then your SSL cert is fine. And regarding Rspamd, check if its really running, might be that it is down again. Might also be that your system runs ou of memory and this kills Rspamd.
     
    till, Feb 10, 2024
    #12
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    till, Feb 10, 2024
    #13
  14. chrisale

    chrisale Member

    The email clients were working with the Debian 12 setup yesterday before updating to p2, I did redo the SSL certs at that time so I suspect that broke the client side. I am not using any clients other than Squirrelmail on the server. I am sending email from my gmail and exchange accounts.

    Ill check on the rspamd.
    I do wonder if so many of these issues are related to the Debian 11 to 12 update if it would be best to simply reinstall the server completely with a fresh Debian 12. My host would only install 11, but I have the option of installing 12 myself.
     
    chrisale, Feb 10, 2024
    #14
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    But the problem is that the p2 release does not contain any changes in the mail config. So whatever caused your issue, its not the p2 release in comparison to the p1 release.

    You can redo the update at any time with:

    ispconfig_update.sh --force

    and let it reconfigure services again and also the SSL cert. btw. if the SSL cert is working then you should not create a new one as it makes no sense and might just break things.

    If you do not have much on the server yet, then that#s an option of course. In this case, take an empty Debian 11 image from your hoster, upgrade to debian 12 first and then install ISPConfig using the auto installer: https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/
     
    till, Feb 10, 2024
    #15
  16. chrisale

    chrisale Member

    I suspect it did just break things when I forced the SSL update. So that's on me, lesson learned.
    The one thing that defijitely wasnt working before I likely broke SSL was the sending connection. I would like to know its root cause before I reinstall in case it crops up again.
     
    chrisale, Feb 10, 2024
    #16
  17. chrisale

    chrisale Member

    I just removed the email domain from ISPConfig and recreated it and now I can receive email again to the domain address. So there must have been something that broke when I forced the update to SSL.

    I am back to just not being able to send mail from the server.
    I'll keep working on that with the suggestions you made.
     
    chrisale, Feb 10, 2024
    #17
  18. chrisale

    chrisale Member

    Doing more digging and it just seems as though the rspamd service is at the root of it and not listening/accepting connections even though it is reported as active by systemctl and no errors come up in either the rspamd.log or syslog.

    Can I turn on a higher level of debugging in postfix for the system itself to see why rspamd isn't listening properly?
     
    Last edited: Feb 11, 2024
    chrisale, Feb 11, 2024
    #18
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    You can do that, its not ispconfig specific, just google debug postfix, but postfix will not report any issues when the problem is rspamd, so I doubt that this will help you much. better try to debug rspamd, and also check things like that your harddisk is not full and you have enough free ram.
     
    till, Feb 11, 2024
    #19
  20. chrisale

    chrisale Member

    OK. Some progress.
    After nothing of interest really came out of the debug logs I decided to go back to basics and just figure out why rspamd wasn't picking up the connection.
    so I tried to reinstall rspamd
    (apt install rspamd)
    Turns out it was missing a package?
    Code:
    apt install rspamd
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libhyperscan5
The following NEW packages will be installed:
  libhyperscan5 rspamd
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,110 kB/6,599 kB of archives.
After this operation, 31.4 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 https://rspamd.com/apt-stable bookworm/main amd64 rspamd amd64 3.8.1-1~b8a2d79ee~bookworm [4,110 kB]
Fetched 4,110 kB in 2s (2,304 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libhyperscan5.
(Reading database ... 74511 files and directories currently installed.)
Preparing to unpack .../libhyperscan5_5.4.0-2_amd64.deb ...
Unpacking libhyperscan5 (5.4.0-2) ...
Selecting previously unselected package rspamd.
Preparing to unpack .../rspamd_3.8.1-1~b8a2d79ee~bookworm_amd64.deb ...
Unpacking rspamd (3.8.1-1~b8a2d79ee~bookworm) ...
Setting up libhyperscan5 (5.4.0-2) ...
Setting up rspamd (3.8.1-1~b8a2d79ee~bookworm) ...
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for libc-bin (2.36-9+deb12u4) ...
    Not sure why it wasn't installed fully before. The possibilities are:
    1) ISPConfig didn't install libhyperscan on Debian 11 (perhaps it wasn't needed?) and that carried over.
    2) It got lost somewhere in the update to Debian 12

    After that, rspamd actually started successfully and the connection refused has gone away.

    However, email is still not sending.
    So I'm on to the next step I guess. I'll keep working on it.
    It has nothing to do with hard drive space or RAM, this is a fresh install 1TB HD 32GB RAM with nothing installed. The problem is in the configuration.
     
    chrisale, Feb 11, 2024
    #20
Page 1 of 2

Share This Page